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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

Inventor(s) : Joerg SCHWENK 

Serial No. : To Be Assigned 

Filed : Herewith 

For : PROCESS FOR ESTABLISHING A COMMON 

CRYPTOGRAPHIC KEY FOR N SUBSCRIBERS 

Examiner : To Be Assigned 

Art Unit : To Be Assigned 

Assistant Commissioner for Patents 
Washington, D.C. 20231 

PRELIMINARY AMENDMENT 

SIR: 

Kindly amend the above-identified application before examination, as set 
forth below. 

IN THE TITLE : 

Please replace the title with the following: 
-PROCESS FOR ESTABLISHING A COMMON CRYPTOGRAPHIC KEY FOR N 
SUBSCRIBERS-. 

IN THE SPECIFICATION : 

Please amend the specification, including abstract, pursuant to the 
attached substitute specification. Also attached is a red-lined copy of the 
specification, indicating deleted and added sections. No new matter has been 
added. 
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IN THE CLAIMS : 



Please cancel original claims 1-3, without prejudice. Please also 
cancel, without prejudice, claims 1 and 2 on the revised pages of the annex to the 
International Preliminary Examination Report. 

Please add the following new claims: 

4. (New) A process for establishing a common cryptographic key for n subscribers 
using the DIffie-Hellman process, comprising: 

assigning the n subscribers respective leaves of a binary-structured tree 
which has a root, n leaves, is of depth [loganl and has treenodes; 

for each one of the n subscribers, generating a respective secret, the 
respective secret being assigned to the one of the n leaves to which the one of the 
n subscribers is assigned; and 

establishing secrets consecutively in a direction of the root of the tree for all 
k nodes of the tree starting from the n leaves of the tree across an entire hierarchy 
of the tree, wherein two already known secrets are combined using the Diffie- 
Hellman process to form a new common secret, the new common secret being 
allocated to a common node so that a common cryptographic key for all n 
subscribers is allocated to a last one of tree nodes, the last one of the tree nodes 
being the root of the tree. 

5. (New) The process as recited in claim 4, further comprising: 

adding a new subscriber to the n subscribers of the tree so that there are 
n+1 subscribers of the tree, the adding step including: 

adding two new leaves as successors to a selected one of the n 
leaves of the tree so that the new tree has n+1 leaves and is of depth 
nog2(n+1)l; 

assigning the one of the n subscribers to whom the selected one of 
the n leaves is assigned one of the two new leaves and assigning the new 
subscriber to another one of the two new leaves, the selected one of the n 
leaves becoming a common node for the two new leaves; and 



NY01 354991 v 2 



2 



starting from the new leaves in a direction of the root of the tree, 
establishing new secrets only in those of the tree nodes which lie within a 
framework of the tree on a path from the two new leaves to the root of the 
tree. 

6. (New) The process as recited in claim 4, further comprising: 

excluding a selected one of the n subscribers from the tree, the excluding 
step including: 

removing a first one of the n leaves of the tree to which the selected 
one of the n subscribers is assigned; 

removing a second one of the n leaves, the second one of the n 
leaves sharing a common node with the first one of the n leaves, the 
common node with the first one of the n leaves becoming a new leaf 
assigned to the one of the n subscribers to which the second one of the n 
leaves is assigned; and 

starting from the new leaf of the tree in a direction of the root of the 
tree, establishing new secrets only in those of the tree nodes which lie within 
a framework of the tree on a path from the new leaf to the tree root. 

REMARKS 

This Preliminary Amendment cancels, without prejudice, original claims 1-3 
in the underlying PCT Application No. PCT/EP99/07051 . This Preliminary 
Amendment also cancels, without prejudice, claims 1 and 2 in the revised pages of 
the annex to the International Preliminary Examination Report. The new claims 
conform the claims to U.S. Patent and Trademark Office rules and do not add new 
matter to the application. 

The amendments to the specification and abstract reflected in the substitute 
specification are to conform the specification and abstract to U.S. Patent and 
Trademark Office rules, and do not introduce new matter into the application. 

The underlying PCT Application No. PCT/EP99/07051 includes an 
International Search Report, issued January 27, 2000, a copy of which is included. 
The Search Report includes a list of documents that were considered by the 
Examiner in the underlying PCT application. 
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The underlying PCT Application No. PCT/EP99/07051 also includes 
an Internationai Preliminary Examination Report, issued August 1, 2000. A 
translation of the International Preliminary Examination Report and annex thereto 
is includes herewith. 

It is respectfully submitted that the present invention is new, non- 
obvious, and useful. Prompt consideration and allowance of the claims are 
respectfully requested. 

Respectfully Submitted, 
KENYON & KENYON 

Richard L. Mayer 
Reg. No. 22,490 

One Broadway 
New York, NY 10004 
(212)425-7200 
(212) 425-5288 
CUSTOMER NO. 26646 



Dated : ^ J^A rc^\ 
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PROCESS FOR ESTABLISHING A COMMON CRYPTOGRAPHIC KEY 
FOR N SUBSCRIBERS 

Field of the Invention 

The process according to the present invention is used to 
generate and establish a common cryptographic key for n 
subscribers in order to guarantee the secrecy of messages 
which are to be transmitted exclusively to the n 
subscribers via insecure communication channels. 

Background Information 

The mechanisms of encryption and authentication are used 
to protect the confidentiality and integrity of 
communication between two or more persons. However, such 
mechanisms require the existence of shared information at 
all subscribers. This shared information is referred to 
as a cryptographic key. 

A conventional process for establishing a common key via 
insecure communication channels is the process of Diffie 
and Hellman (DH process; see W. Diffie and M. Hellman, 
New Directions in Cryptography , IEEE Transactions on 
Information Theory, IT-22 (6) : 644 - 654 , November 1976). 
The basis of the Dif f ie-Hellmann key exchange (DH76) is 
the fact that it is virtually impossible to calculate 
logarithms modulo a large prime number p. This fact is 
utilized by Alice and Bob in the example shown below, in 
that they each secretly choose a number x and y, 
respectively, smaller than p (and relatively prime to 
p-1) . They then send each other (consecutively or 
simultaneously) the x-th (and y-th) power of a publicly 
known number a. From the received powers, they are able 
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to calculate a cormnon key K—a^^^ by renewed raising to the 
power with x and y, respectively. An attacker who sees 
only and is unable to calculate K therefrom. (The 
only presently known method of doing so would involve 
5 first calculating the logarithm, e.g., of to the base a 

modulo p, and then raising to that power.) 



Alice 
Secretly chooses x 



15 



Forms K: =(0^)^ = a"=^ Forms K: =(a")^ = a"^ 

Example of Dif f ie-Hellmann key exchange 

The problem with the DH key exchange described in the 
example is that Alice does not know whether she is 
actually communicating with Bob or with an impostor. In 
IPSec, this problem is solved by the use of public key 
certificates in which the identity of a subscriber is 
linked to a public key by a trustworthy authority. The 
identity of a conversation partner is thereby verifiable. 

DH key exchange can also be implemented using other 
mathematical structures, e.g., using finite bodies GF(2n) 
or elliptic curves. Such alternatives make it possible to 
improve performance. However, this process is only 
suitable for agreeing upon a key between two subscribers. 

Various attempts have been made to extend the DH process 
to three or more subscribers (DH groups) . (An overview of 
the state of the art is given by M. Steiner, G. Tsudik, 
M. Waidner, Diffie-Hellman Key Distribution Extended to 
Group Communication, Proc . 3rd ACM Conference on Computer 
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and Communications Security, March 1996, New Delhi, 
India . ) 

An extension of the DH process to three subscribers A, B 
5 and C is described, for example, by the following table. 

(Calculation in each case mod p) : 



10 






A -> B 


B - C 


C - A 




1st 


round 








15 


2nd 


round 


gca 


gab 





After carrying out these two rounds, each of the three 
subscribers is able to calculate the secret key g^^^ mod 



In all these extensions, at least one of the following 
three problems occurs : 

2 5 - The subscribers must be arranged in a certain 

manner, for instance in a circle in the above example. 

The subscribers have no influence vis-a-vis the 
central station on the choice of key. 

The number of rounds is dependent on the number of 

3 0 subscribers. 

A further process for the common establishment of a key 
is described in German Patent Application No. 195 38 
385.0. In this process, however, the central station must 
35 know the secret keys of the subscribers. 
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In the IEEE Transaction On Software Engineering, an 
article dated 5/20/1998, pages 1 through 13, entitled 
"Key Establishment in Large Dynamic Groups Using One -Way 
Function Trees" by David A. McGrew and Alan T. Sherman, 
introduces a process for establishing a common 
cryptographic key. This process is based on a tree 
structure. In that case, a group manager manages a binary 
tree, each node x of it being linked to two cryptographic 
keys, a node key kx and a hidden node key k'x=g(k^) . The 
hidden node key is calculated from the node key with the 
aid of a one-way function. Each subscriber knows the 
unhidden node keys on the path from his/her node up to 
the root and the hidden node keys for the nodes which are 
siblings for his/her path to the root, and otherwise no 
other hidden or unhidden keys. The feasibility of this 
process is based on the fact that the group manager knows 
all the leaf keys. 

Burmester, Desmedt, A secujre and efficient conference key 
distribution system, Proc . EUROCRYPT ' 94 , Springer LNCS , 
Berlin 1994 describes a design in which two rounds are 
required to generate the key, it being necessary in the 
second round for the central station to send n messages 
of length p = approx. 1000 bits for n subscribers. 

Another conventional cryptographic process is referred to 
as the (n,t) threshold process. With an (n,t) threshold 
process, it is possible to break a key k down into t 
parts (called shadows) , such that said key k can be 
reconstructed from any n of the t shadows (see 
Beutelspacher, Schwenk, Wolf enstetter : Moderne Verfahren 
der Kryptographie (2nd edition) , Vieweg Verlag, Wiesbaden 
1998) . 

Summary of the Invention 
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The present invention can provide the establishment of a 
common group key between a central station and a group of 
n subscribers. The present invention can also provide 
that, even after the group key has been established, 
subscribers can be removed from or added to the key 
directory without great effort. 

In accordance with the present invention, a process is 
provided in which a group key is established with the aid 
of a tree structure. To that end, the number of 
subscribers n involved in the key agreement is 
represented as a binary tree having n leaves. For each 
natural number n, there are one or more representations 
of this type. The number of leaves is identical with the 
number of subscribers included in the process. This means 
that a number of n leaves of a binary tree of depth 
[logzu] is allocated to a number of n subscribers. 

Brief Description of the DrawinQS 

Fig. 1 shows a tree structure for three subscribers 
according to an embodiment of the present 
invention; 

Fig. 2 shows a tree structure for a key agreement for 
four subscribers A, B, C and D according to an 
embodiment of the present invention; 

Fig. 3 shows a tree structure of a key agreement for 
five subscribers A, B, C, D and E according to 
an embodiment of the present invention; 

Fig. 4 shows extending the tree structure by one 
subscriber for a further embodiment of the 
present invention according to Fig. 2; and 
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Fig. 5 shows the removal /deletion of a subscriber from 
the tree structure for a further embodiment of 
the present invention according to Fig. 2. 

Detailed Description 

Fig. 1 shows the operating principle of the process 
according to the present invention with reference to the 
tree structure of a key agreement for three subscribers 
A, B, C. 

In order to establish a common key, subscribers A, B and 
C proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly generated numbers a and b. They obtain the 
common key kl=g^'= mod p, which is allocated to the common 
node Kl . 

Subscribers A and B on the one side, and subscriber 
C on the other side carry out a second DH process which 
is based on common key kl of subscribers A and B and on a 
randomly generated number c of subscriber C. The result 
is common key k- g'^''' mod p, which is allocated to the 
root of tree K„. 

In the following, an example of a key agreement for four 
subscribers A, B, C and D is described with reference to 
Fig. 2: 

In order to establish a common key for four subscribers 
(Fig. 2), subscribers A, B, C and D proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly generated numbers a and b. They obtain the 
common key kl =g'''^ mod p . 
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Subscribers C and D carry out a DH process with 
randomly selected nunobers c and d. They obtain the common 
key k2=g'"^ mod p. 

Subscribers A and B on the one side, and subscribers 
C and D on the other side jointly carry out a second DH 
process in which subscribers A and B include key kl and 
subscribers C and D include key k2 . The result is common 
key kw= g"^'^^ mod p, which is allocated to the root of 
tree K„. 

In the following, an example of a key agreement for five 
subscribers A, B, C, D and E is described with reference 
to Fig. 3: 

In order to establish a common key, subscribers A, B, C, 
D and E proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly selected numbers a and b. They obtain the common 
key kl =g^'^ mod p . 

Subscribers C and D carry out a DH process with 
randomly selected numbers c and d. They obtain the common 
key k2 ^g'^'^ mod p . 

Subscribers A and B on the one side, and subscribers 
C and D on the other side jointly carry out a second DH 
process in which subscribers A and B include the common 
key kl and subscribers C and D include the common key K2 . 
The result is a common key k?) - g^^^^ mod p for 
subscribers A, B, C and D. 

Subscribers A, B, C and D on the one side, and 
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subscriber E on the other side carry out a third DH 
process in which common key k3 of subscribers A, B, C and 
D and a random number e generated for subscriber E are 
included. The result is common key = g^^'^ mod p, which 
is allocated to the root of the tree K„. 

Owing to the structure of the process according to the 
present invention, it is possible to include new 
subscribers or to exclude individual subscribers without 
having to carry out the entire process again for each 
subscriber . 

The addition of a new subscriber is explained in greater 
detail with reference to a tree structure having four 
subscribers according to Fig. 4. The starting situation 
is a tree structure according to Fig. 2, to which a new 
subscriber is to be added at leaf B. 

When a new subscriber is added to an already existing 
tree structure which possesses a common secret, in order 
to establish a new common key for n+1 subscribers, two 
new leaves Bl and B2 are added at a suitable location of 
the binary tree (leaf B given) . The new tree then has n+1 
leaves and is of depth flogs (n+1)]. The subscriber 
previously assigned to leaf B is assigned to one of the 
new leaves Bl . The new subscriber is assigned to the 
other leaf B2 still free. The previous leaf B becomes a 
node Kl for leaves Bl and B2 . Starting from new leaves Bl 
and B2, new secrets are established as far as the root of 
the tree only in those nodes K which lie within the 
framework of the tree structure on the path from new 
leaves Bl and B2 to the root of the tree K„. In this 
specific case, they are nodes Kl , K2 and K^. 

If the number of subscribers is a power of two, the depth 
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of the tree is increased through this operation by 1 (see 
previous example) . If the number of subscribers is not a 
power of two, then, through skillful selection of the 
leaf to be divided, it is possible to avoid an increase 
of the depth, as shown by the following example: 

In order, for example, to add a fourth subscriber to 
three subscribers, one proceeds as follows (starting from 
the situation according to Fig. 1) : 

Subscriber C carries out a DH process with newly 
added subscriber D using randomly generated numbers c" 
and d (c" should differ from the previously selected c, 
but this need not be the case) . The result is k2"= g""'"^ 
mod p . 

Subscriber A and subscriber B on the one side, and 
subscribers C and D on the other side carry out a DH 
process using the values kl and k2 . The result is 

yt= g^^-^^' mod p. 

With such a configuration, subscribers A and B need not 
carry out a new key exchange. Generally, it is only 
necessary to newly agree upon the secrets which lie in 
the associated tree on the path from the leaf of the new 
subscriber to root 

The exclusion or deletion of a subscriber is explained in 
greater detail with reference to a tree structure having 
four subscribers according to Fig. 5. The starting 
situation is a tree structure according to Fig. 2, from 
which subscriber B is to be removed. 

When a subscriber B is excluded or deleted from an 
already existing tree structure which has a common 
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secret, then, as indicated in Fig. 5, both the leaf of 
subscriber B who is to be removed and the leaf of 
subscriber A, assigned to the same common node Kl , are 
removed. Common node Kl becomes new leaf A' of subscriber 
5 A remaining in the tree structure. Starting from the 

leaves of the tree and going as far as root K^, new 
secrets are established only in those nodes K which are 
directly affected by new leaf A' within the framework of 
the tree structure in the direction of root K^. In this 

10 specific case, this is only root node K„. Given such a 

configuration, subscribers C and D need not carry out a 
new key exchange. Generally, in this case it is also only 
necessary to newly agree upon those secrets which lie in 
the associated tree on the path from the leaf of the 

15 partner of the removed subscriber to the root. 

The process can be further developed in many ways: For 
example, it is possible to use other groups for forming 
the discrete exponential function 
2 0 X ^ g"". 

When a subscriber is added or removed, it is possible, 
for example, to agree not to use the old secrets, but 
rather the result of a (possibly randomized) one-way 
25 function for the required new implementations of the DH 

process . 
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Abstract 



A process is described which can be used to generate a 
cryptographic key for a group of subscribers whose number 
is subject to change. The process can further provide 
that even after the group key has been established, 
subscribers can be removed from or added to the key 
directory without great effort . 
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PROCESS FOR ESTABLISHING A COMMON CRYPTOGRAPHIC KEY 
FOR N SUBSCRIBERS 

Field of the Invention 

The process according to the present invention is used to 
generate and establish a common cryptographic key for n 
5 subscribers in order to guarantee the secrecy of messages 

which are to be transmitted exclusively to the n 
subscribers via insecure communication channels. 

Background Information 

10 

The mechanisms of encryption and authentication are used 
to protect the confidentiality and integrity of 
communication between two or more persons. However, such 
mechanisms require the existence of shared information at 
15 all subscribers. This shared information is referred to 

as a cryptographic key. 

A rknownl conventional process for establishing a common 
key via insecure communication channels is the process of 
20 Diffie and Hellman (DH process; see W. Diffie and M. 

Hellman, New Directions in Cryptography, IEEE 
Transactions on Information Theory, IT-22 ( 6) : 544 - 654 , 
November 1976) . 

The basis of the Dif f ie-Hellmann key exchange (DH76) is 
25 the fact that it is virtually impossible to calculate 

logarithms modulo a large prime number p. This fact is 
utilized by Alice and Bob in the example shown below, in 
that they each secretly choose a number x and y, 
respectively, smaller than p (and relatively prime to 
30 p-1) . They then send each other (consecutively or 

simultaneously) the x-th (and y-th) power of a publicly 
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known number a. From the received powers, they are able 
to calculate a common key K:=a^^ by renewed raising to the 
power with x and y, respectively. An attacker who sees 
only and is unable to calculate K therefrom. (The 
only presently known method of doing so would involve 
first calculating the logarithm, e.g.^ of a"" to the base a 
modulo p, and then raising to that power.) 

Alice Bob 
Secretly chooses x a'' 



Forms K: =(a^)^ = Forms K: =(0^)^ = a^^ 

Example of Dif f ie-Hellmann key exchange 

The problem with the DH key exchange described in the 
example is that Alice does not know whether she is 
actually communicating with Bob or with an impostor. In 
IPSec, this problem is solved by the use of public key 
certificates in which the identity of a subscriber is 
linked to a public key by a trustworthy authority. The 
identity of a conversation partner is thereby verifiable. 

DH key exchange can also be implemented using other 
mathematical structures, e.g.^ using finite bodies GF (2n) 
or elliptic curves. Such alternatives make it possible to 
improve performance. However, this process is only 
suitable for agreeing upon a key between two subscribers. 

Various attempts have been made to extend the DH process 
to three or more subscribers (DH groups) . (An overview of 
the state of the art is given by M . Steiner, G. Tsudik, 
M. Waidner, Diffie-Hellman Key Distribution Extended to 
Group Communication, Proc . 3rd ACM Conference on Computer 
55376 V 1 2 MARKED UP SPECIFICATION 



and Communications Security, March 1996, New Delhi, 
India . ) 

[ 

]An extension of the DH process to three subscribers A, B 
and C is described, for example, by the following table. 
(Calculation in each case mod p) : 



10 






A - B 


B - C 


C - A 


15 


1st 


round 






g= 


2nd 


round 


gca 







2 0 After carrying out these two rounds, each of the three 

subscribers is able to calculate the secret key g^^^ mod 
P- 

In all these extensions, at least one of the following 
25 three problems occurs: 

The subscribers must be arranged in a certain 
manner, for instance in a circle in the above example. 

The subscribers have no influence vis-a-vis the 
central station on the choice of key. 

3 0 - The number of rounds is dependent on the number of 

subscribers . 

A further process for the common establishment of a key 
is [known from thel described in German Patent Application 
35 No ■ 195 38 385.0. In this process, however, the central 

station must know the secret keys of the subscribers. 
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[A design approach from 1 In the IEEE Tra nsaction On 
Software Engineering, an article dated 5/20/1998, pages 1 
through 13, entitled '■'Key Establishment in Large Dynamic 
Groups Using One -Way Function Trees" b v David A. McGrew 
5 and Alan T. Sherman, introduces a process for 

establishing a common cryptographic ke v. This process is 
based on a tree structure. In that case, a group manager 
manages a binary tree, each node x of it bein g linked to 
two cryptographic keys, a node key kx and a hidden node 

10 key k'x==g(k„) . The hidden node key is calculated from the 

node key with the aid of a one-way function. Each 

subscriber knows the unhidden node keys on the path from 
his/her node up to the root and the hidden node keys for 
the nodes which are siblings for his/her p ath to the 

15 root, and otherwise no other hidden or unhidden keys. The 

feasibility of this process is based on the fact that the 
group manager knows all the leaf keys. 

Burmester, Desmedt, A secure and efficient conference key 
20 distribution system, Proc . EUROCRYPT ' 94 , Springer LNCS , 

Berlin 1994 [is also known . 1 describes a design in which 
two rounds are required to generate the key, it being 
necessary in the second round for the central station to 
send n messages of length p = approx. 1000 bits for n 
25 subscribers. 

[Also known is a1 Another conventional cryptographic 
process is referred to as the (n,t) threshold process. 
With an {n,t) threshold process, it is possible to break 
3 0 a key k down into t parts (called shadows) , such that 

said key k can be reconstructed from any n of the t 
shadows (see Beutelspacher , Schwenk, Wolf enstetter : 
Moderne Verfahren der Kryptographie_[ ] (2nd edition), 
Vieweg Verlag, Wiesbaden 1998) . 
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Summary of the Invention 

The present [process is intended to permit 1 invent ion can 
provide the establishment of a common group key between a 
5 central station and a group of n subscribers. The 

[process is to be such1 present invention can a lso provide 
that, even after the group key has been established, 
subscribers can be removed from or added to the key 
directory without great effort. 

10 

[Tl In accordance with t he [objective is achieved 
bvl present invention, a process is provided in which a 
group key is established with the aid of a tree 
structure. [According to the invention, t]To that end, 

15 the number of subscribers n involved in the key agreement 

is represented as a binary tree having n leaves. For each 
natural number n, there are one or more representations 
of this type. The number of leaves is identical with the 
number of subscribers included in the process. This means 

2 0 that a number of n leaves of a binary tree of depth 

flogju] is allocated to a number of n subscribers. 



Brief Description of the Drawincrs 

2 5 Fig. 1 shows a tree structure for three subscribers 

accordincf to an embodiment of th e present 
invention ; 



shows a tree structure for a key a greement for 
four subscribers A, B. C and D according to an 
embodiment of the present invention; 

shows a tree structure of a key agreem ent for 
five subscribers A. B. C. D and E according to 
an embodiment of the present invention; 

shows extending the tree structure by one 
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subscriber for a further embodiment of the 
present invention accordincf to Fig. 2; and 



Fig. 5 shows the removal /deletion of a subscr iber from 
the tree structure for a further embodi ment of 
the present invention according to Fie;. 2. 



Detailed Description 

10 Fig. 1 shows the operating principle of the process 

according to the present invention with reference to the 
tree structure of a key agreement for three subscribers 
A, B, C. 

15 In order to establish a common key, subscribers A, B and 

C proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly generated numbers a and b. They obtain the 
2 0 common key kl=g'"" mod p, which is allocated to the common 

node Kl. 



Subscribers A and B on the one side, and subscriber 
C on the other side carry out a second DH process which 
is based on common key kl of subscribers A and B and on a 
randomly generated number c of subscriber C. The result 
is common key k = g^^'" mod p, which is allocated to the 

root of tree K^. 
[ 

The process according to the invention is explained in 
greater detail with reference to exemplary embodiments. 
Fig. 2 shows the tree structure for a key agreement for 
four subscribers A, B, C and D. 

Fig 3 shows the tree structure of a key agreement for 
five subscribers A, B, C, D and E. 

Fig. 4, on the basis of an already existing tree 
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structure according to Fig. 2, shows an example for 
extending the tree structure by one subscriber. 
Fig. 5, on the basis of an already existing tree 
structure according to Fig. 2, shows the removal/deletion 
of a subscriber from the tree structure. 
] 

In the following, an example of a key agreement for four 
subscribers A, B, C and D is described with reference to 
Fig. 2: 

In order to establish a common key for four subscribers 
(Fig. 2), subscribers A, B, C and D proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly generated numbers a and b. They obtain the 
common key kl=g''^ mod p. 

Subscribers C and D carry out a DH process with 
randomly selected numbers c and d. They obtain the common 
key k2=g'''^ mod p. 

Subscribers A and B on the one side, and subscribers 
C and D on the other side jointly carry out a second DH 
process in which subscribers A and B include key kl and 
subscribers C and D include key k2 . The result is common 

key kw= g^^'^^ mod p, which is allocated to the root of 

tree K«. 

In the following, an example of a key agreement for five 
subscribers A, B, C, D and E is described with reference 
to Fig. 3 : 

In order to establish a common key, subscribers A, B, C, 
D and E proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly selected numbers a and b. They obtain the common 

55375 ^ 1 7 MARKED UP SPECIFICATION 



key kl=g^'^ mod p. 

Subscribers C and D carry out a DH process with 
randomly selected numbers c and d. They obtain the common 
5 key k2=g=^ mod p. 

Subscribers A and B on the one side, and subscribers 
C and D on the other side jointly carry out a second DH 
process in which subscribers A and B include the common 
10 key kl and subscribers C and D include the common key K2 . 

The result is a common key A:3 = g^^^'^ mod p for 

subscribers A, B^ C and D. 

Subscribers A, B, C and D on the one side, and 
15 subscriber E on the other side carry out a third DH 

process in which common key k3 of subscribers A, B, C and 
D and a random number e generated for subscriber E are 

included. The result is common key kw = g"*^" mod p, which 

is allocated to the root of the tree K^^. 

20 

Owing to the structure of the process according to the 
present invention, it is possible to include new 
subscribers or to exclude individual subscribers without 
having to carry out the entire process again for each 
25 subscriber. 

The addition of a new subscriber is explained in greater 
detail with reference to a tree structure having four 
subscribers according to Fig. 4. The starting situation 
3 0 is a tree structure according to Fig. 2, to which a new 

subscriber is to be added at leaf B. 

When a new subscriber is added to an already existing 
tree structure which possesses a common secret, in order 
35 to establish a new common key for n+1 subscribers, two 
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new leaves Bl and B2 are added at a suitable location of 
the binary tree (leaf B given) . The new tree then has n+1 
leaves and is of depth [logjln+l)]. The subscriber 
previously assigned to leaf B is assigned to one of the 
new leaves Bl . The new subscriber is assigned to the 
other leaf B2 still free. The previous leaf B becomes a 
node Kl for leaves Bl and B2 . Starting from new leaves Bl 
and B2, new secrets are established as far as the root of 
the tree only in those nodes K which lie within the 
framework of the tree structure on the path from new 
leaves Bl and B2 to the root of the tree K^. In this 
specific case, they are nodes Kl , K2 and K^. 

If the number of subscribers is a power of two, the depth 
of the tree is increased through this operation by 1 (see 
previous example) . If the number of subscribers is not a 
power of two, then, through skillful selection of the 
leaf to be divided, it is possible to avoid an increase 
of the depth, as shown by the following example: 

In order, for example, to add a fourth subscriber to 
three subscribers, one proceeds as follows (starting from 
the situation according to Fig. 1) : 

Subscriber C carries out a DH process with newly 
added subscriber D using randomly generated numbers c"^ 
and d (c^ should differ from the previously selected c, 
but this need not be the case) . The result is k2"~= g^''^ 
mod p . 

Subscriber A and subscriber B on the one side, and 
subscribers C and D on the other side carry out a DH 
process using the values kl and k2 " . The result is 

k = g-*^'^^' mod p. 
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carry out a new key exchange. Generally, it is only 
necessary to newly agree upon the secrets which lie in 
the associated tree on the path from the leaf of the new 
subscriber to root K„. 

The exclusion or deletion of a subscriber is explained in 
greater detail with reference to a tree structure having 
four subscribers according to Fig. 5. The starting 
situation is a tree structure according to Fig. 2, from 
which subscriber B is to be removed. 

When a subscriber B is excluded or deleted from an 
already existing tree structure which has a common 
secret, then, as indicated in Fig. 5, both the leaf of 
15 subscriber B who is to be removed and the leaf of 

subscriber A, assigned to the same common node Kl , are 
removed. Common node Kl becomes new leaf A' of subscriber 
A remaining in the tree structure. Starting from the 
leaves of the tree and going as far as root K„, new 
2 0 secrets are established only in those nodes K which are 

directly affected by new leaf A' within the framework of 
the tree structure in the direction of root K„. In this 
specific case, this is only root node K^. Given such a 
configuration, subscribers C and D need not carry out a 
25 new key exchange. Generally, in this case it is also only 

necessary to newly agree upon those secrets which lie in 
the associated tree on the path from the leaf of the 
partner of the removed subscriber to the root . 



The process can be [advantageously ] further developed in 
many ways: For example, it is possible to use other 
groups for forming the discrete exponential function 
X g". 

When a subscriber is added or removed, it is possible, 
for example, to agree not to use the old secrets, but 
rather the result of a (possibly randomized) one-way 
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function for the required new implementations of the DH 
process . 



5 
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[Abstract 

The process is to be such that,] 
Abstract 

A process is described which can be used to g enerate a 
cryptographic key for a group of subscribers whose number 
is subject to change. The process can further provide 
that even after the group key has been established, 
subscribers can be removed from or added to the key 
directory without great effort . 

[According to the present invention, each of the n 
subscribers (I) is assigned to one leaf of a 
binary- structured tree which has precisely n leaves and 
is of depth flogan]. For each subscriber (I) , a secret (i) 
is generated and is assigned to that leaf of the tree to 
which the respective subscriber (I) is also assigned. 
Secrets are established consecutively in the direction of 
the tree root for all nodes (K) of the tree, two already 
known secrets always being combined via the DH process to 
form a new common secret. The last node K„ contains the 
common key of all n subscribers. 

The process of the present invention can be 

advantageously used to generate a cryptographic key for a 
group of subscribers whose number is subject to change. 

Fig. 1] 
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process for establishing a commoi^^cryptographic key 
— ■ '"forW subscribers 



The process according to the present invention is used to 
generate and establish a common cryptographic key for n 
subscribers in order to guarantee the secrecy of messages 
which are to be transmitted exclusively to the n 
subscribers via insecure communication channels. 

The mechanisms of encryption and authentication are used 
to protect the confidentiality and integrity of 
communication between two or more persons. However, such 
mechanisms require the existence of shared information at 
all subscribers. This shared information is referred to 
as a cryptographic key. 

A known process for establishing a common key via 
insecure communication channels is the process of Diffie 
and Hellman (DH process; see W. Diffie and M. Hellman, 
New Directions in Cryptography, IEEE Transactions on 
Information Theory, IT-22 (6) : 644-654 , November 1976). 
The basis of the Dif f ie-Hellmann key exchange (DH76) is 
the fact that it is virtually impossible to calculate 
logarithms modulo a large prime number p. This fact is 
utilized by Alice and Bob in the example shown below, in 
that they each secretly choose a number x and y, 
respectively, smaller than p (and relatively prime to 
p-1) . They then send each other (consecutively or 
simultaneously) the x-th (and y-th) power of a publicly 
known number a. From the received powers, they are able 
to calculate a common key K:=a'=^ by renewed raising to the 
power with x and y, respectively. An attacker who sees 
only a'^ and is unable to calculate K therefrom. (The 
only presently known method of doing so would involve 



NY01 364566 v1 



•!I!!'I""H, II 1.111 flip 



first calculating the logarithm, e.g. of a"" to the base a 
modulo p, and then raising to that power.) 



Alice Bob 
5 Secretly chooses x a'' 



Example of Dif f ie-Hellmann key exchange 

The problem with the DH key exchange described in the 
example is that Alice does not know whether she is 
actually communicating with Bob or with an impostor. In 
IPSec, this problem is solved by the use of public key 
certificates in which the identity of a subscriber is 
linked to a public key by a trustworthy authority. The 
identity of a conversation partner is thereby verifiable. 

DH key exchange can also be implemented using other 
mathematical structures, e.g. using finite bodies GF(2n) 
or elliptic curves. Such alternatives make it possible to 
improve performance. However, this process is only 
suitable for agreeing upon a key between two subscribers. 

Various attempts have been made to extend the DH process 
to three or more subscribers (DH groups) . (An overview of 
the state of the art is given by M. Steiner, G. Tsudik, 
M. Waidner, Diffie-Hellman Key Distribution Extended to 
Group Communication, Proc . 3rd ACM Conference on Computer 
and Communications Security, March 1996, New Delhi, 
India . ) 



An extension of the DH process to three subscribers A, B 
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and C is described, for example, by the following table. 
(Calculation in each case mod p) : 



A-B B-C C-A 



1st round g^ g"" g'' 



2nd round g^^ g^"* g 



After carrying out these two rounds, each of the three 
subscribers is able to calculate the secret key g^^"" mod 
P- 

In all these extensions, at least one of the following 
three problems occurs : 

The subscribers must be arranged in a certain 
manner, for instance in a circle in the above example. 

The subscribers have no influence vis-a-vis the 
central station on the choice of key. 

The number of rounds is dependent on the number of 
subscribers . 

A further process for the common establishment of a key 
is known from the German Patent 195 38 385.0. In this 
process, however, the central station must know the 
secret keys of the subscribers. 

A design approach from Burmester, Desmedt , A secure and 
efficient conference key distribution system, Proc. 
EUROCRYPT ' 94 , Springer LNCS, Berlin 19 94 is also known, 
in which two rounds are required to generate the key, it 
being necessary in the second round for the central 
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station to send n messages of length p = approx. 1000 
bits for n subscribers. 



Also known is a cryptographic process referred to as the 
(n,t) threshold process. With an (n,t) threshold process, 
it is possible to break a key k down into t parts (called 
shadows) , such that said key k can be reconstructed from 
any n of the t shadows (see Beutelspacher , Schwenk, 
Wolfenstetter : Moderne Verfahren der Kryptographie (2nd 
edition) , Vieweg Verlag, Wiesbaden 1998) . 

The present process is intended to permit the 
establishment of a common group key between a central 
station and a group of n subscribers. The process is to 
be such that, even after the group key has been 
established, subscribers can be removed from or added to 
the key directory without great effort. 

The objective is achieved by a process in which a group 
key is established with the aid of a tree structure. 
According to the invention, to that end, the number of 
subscribers n involved in the key agreement is 
represented as a binary tree having n leaves. For each 
natural number n, there are one or more representations 
of this type. The number of leaves is identical with the 
number of subscribers included in the process. This means 
that a number of n leaves of a binary tree of depth 
flogsu] is allocated to a number of n subscribers. 

Fig. 1 shows the operating principle of the process 
according to the invention with reference to the tree 
structure of a key agreement for three subscribers A, B, 
C. 

In order to establish a common key, subscribers A, B and 
C proceed as follows: 

Subscribers A and B carry out a DH process with 



I' J I'l l I' T llff 



Jl Illll.lJiil l i ii 



randomly generated numbers a and b. They obtain the 
common key kl=g^'' mod p, which is allocated to the common 
node Kl. 

Subscribers A and B on the one side, and subscriber 
C on the other side carry out a second DH process which 
is based on common key kl of subscribers A and B and on a 
randomly generated number c of subscriber C. The result 
is common key k ^ g''^'^ mod p, which is allocated to the 
root of tree K^,. 

The process according to the invention is explained in 
greater detail with reference to exemplary embodiments. 
Fig. 2 shows the tree structure for a key agreement for 
four subscribers A, C and D. 

Fig 3 shows the tree structure of a key agreement for 
five subscribers A, B, C, D and E. 

Fig. 4, on the basis of an already existing tree 
structure according to Fig. 2, shows an example for 
extending the tree structure by one subscriber. 
Fig. 5, on the basis of an already existing tree 
structure according to Fig. 2, shows the removal/deletion 
of a subscriber from the tree structure. 

In the following, an example of a key agreement for four 
subscribers A, B, C and D is described with reference to 
Fig. 2: 

In order to establish a common key for four subscribers 
(Fig. 2), subscribers A, B, C and D proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly generated numbers a and b. They obtain the 
common key kl=g^^ mod p. 

Subscribers C and D carry out a DH process with 
randomly selected numbers c and d. They obtain the common 
key k2=g'^^ mod p. 

Subscribers A and B on the one side, and subscribers 
C and D on the other side jointly carry out a second DH 
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process in which subscribers A and B include key kl and 
subscribers C and D include key k2 . The result is common 
key kw= g^^'^'^ mod p, which is allocated to the root of 
tree K^^. 

In the following, an example of a key agreement for five 
subscribers A, B, C, D and E is described with reference 
to Fig. 3: 

In order to establish a common key, subscribers A, B, C, 
D and E proceed as follows: 

Subscribers A and B carry out a DH process with 
randomly selected numbers a and b. They obtain the common 
key kl=g^'= mod p. 

Subscribers C and D carry out a DH process with 
randomly selected numbers c and d. They obtain the common 
key k2=g'^^ mod p. 

Subscribers A and B on the one side, and subscribers 
C and D on the other side jointly carry out a second DH 
process in which subscribers A and B include the common 
key kl and subscribers C and D include the common key K2 . 
The result is a common key A:3 = g^^^'^ mod p for 
subscribers A, B, C and D. 

Subscribers A, B, C and D on the one side, and 
subscriber E on the other side carry out a third DH 
process in which common key k3 of subscribers A, B, C and 
D and a random number e generated for subscriber E are 
included. The result is common key kw = g^^'^ mod p, which 
is allocated to the root of the tree K„. 



Owing to the structure of the process according to the 



invention, it is possible to include new subscribers or 
to exclude individual subscribers without having to carry 
out the entire process again for each subscriber. 

The addition of a new subscriber is explained in greater 
detail with reference to a tree structure having four 
subscribers according to Fig. 4. The starting situation 
is a tree structure according to Fig. 2, to which a new 
subscriber is to be added at leaf B. 

When a new subscriber is added to an already existing 
tree structure which possesses a common secret, in order 
to establish a new common key for n+1 subscribers, two 
new leaves Bl and B2 are added at a suitable location of 
the binary tree (leaf B given) . The new tree then has n+1 
leaves and is of depth [log2(n+l)l. The subscriber 
previously assigned to leaf B is assigned to one of the 
new leaves Bl. The new subscriber is assigned to the 
other leaf B2 still free. The previous leaf B becomes a 
node Kl for leaves Bl and B2 . Starting from new leaves Bl 
and B2 , new secrets are established as far as the root of 
the tree only in those nodes K which lie within the 
framework of the tree structure on the path from new 
leaves Bl and B2 to the root of the tree K„. In this 
specific case, they are nodes Kl , K2 and K„. 

If the number of subscribers is a power of two, the depth 
of the tree is increased through this operation by 1 (see 
previous example) . If the number of subscribers is not a 
power of two, then, through skillful selection of the 
leaf to be divided, it is possible to avoid an increase 
of the depth, as shown by the following example: 

In order, for example, to add a fourth subscriber to 
three subscribers, one proceeds as follows (starting from 
the situation according to Fig. 1) : 



Subscriber C carries out a DH process with newly 
added subscriber D using randomly generated numbers c" 
and d (c" should differ from the previously selected c, 
but this need not be the case) . The result is k2"= g^'"^ 
mod p . 

Subscriber A and subscriber B on the one side, and 
subscribers C and D on the other side carry out a DH 
process using the values kl and k2 ^ . The result is 

k = g-^^'*^' mod p . 

With such a configuration, subscribers A and B need not 
carry out a new key exchange. Generally, it is only 
necessary to newly agree upon the secrets which lie in 
the associated tree on the path from the leaf of the new 
subscriber to root K„. 

The exclusion or deletion of a subscriber is explained in 
greater detail with reference to a tree structure having 
four subscribers according to Fig. 5. The starting 
situation is a tree structure according to Fig. 2, from 
which subscriber B is to be removed. 

When a subscriber B is excluded or deleted from an 
already existing tree structure which has a common 
secret, then, as indicated in Fig. 5, both the leaf of 
subscriber B who is to be removed and the leaf of 
subscriber A, assigned to the same common node Kl , are 
removed. Common node Kl becomes new leaf A' of subscriber 
A remaining in the tree structure. Starting from the 
leaves of the tree and going as far as root K„, new 
secrets are established only in those nodes K which are 
directly affected by new leaf A' within the framework of 
the tree structure in the direction of root K„. In this 
specific case, this is only root node K„. Given such a 
configuration, subscribers C and D need not carry out a 
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new key exchange. Generally, in this case it is also only 
necessary to newly agree upon those secrets which lie in 
the associated tree on the path from the leaf of the 
partner of the removed subscriber to the root . 

The process can be advantageously further developed in 
many ways: For example, it is possible to use other 
groups for forming the discrete exponential function 
X g". 

When a subscriber is added or removed, it is possible, 
for example, to agree not to use the old secrets, but 
rather the result of a (possibly randomized) one-way 
function for the required new implementations of the DH 
process . 
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1. A process for establishing a common cryptographic key 
for n subscribers using the DH process, 
characterized in that 

- each of the n subscribers (I) is assigned one leaf of a 
binary-structured tree which has precisely n leaves and 
is of depth [logan]; 

- for each subscriber (I) , a secret (i) is generated and 
assigned to that leaf of the tree to which the respective 
subscriber (I) is also assigned; 

- secrets are established consecutively in the direction 
of the tree root for all nodes (K) of the tree, where, 
starting from the leaves according to the defined tree 
structure across the entire hierarchy of the tree 
structure, two already known secrets are always combined 
via the DH process to form a new common secret and are 
allocated to a common node (K) , so that the last node K„ 
and therefore the tree root contains the common key of 
all n subscribers as the secret. 

2. The process as recited in Claim 1, 
characterized in that 

- when a new subscriber is added to an existing tree 
structure which already has a common secret, in order to 
establish a common key for n+1 subscribers, two new 
leaves (Bl and B2) are added as successors to a leaf (B) 
at a suitable location of the binary tree, so that the 
new tree has precisely n+1 leaves and is of depth 

flog^ (n+l)l; 

- the subscriber assigned to the previous leaf (B) and 
the new subscriber are each assigned to one of the new 
leaves (B1;B2) , the previous leaf B becoming a common 
node for the new leaves (B1;B2); 

- starting from the new leaves (B1;B2) and going as far 
as the root of the tree, new secrets are established only 
in those nodes which lie within the framework of the tree 



structure on the path from leaves Bl and B2 to the tree 
root . 

3. The process as recited in Claim 1, 
characterized in that 

- when a subscriber (B) is excluded from an already 
existing tree structure which already has a secret, both 
the leaf of the subscriber (B) to be removed as well as 
the leaf of the subscriber (A) assigned to the same 
common node are removed; 

- the common node becomes the leaf of the subscriber A 
who is not to be removed, and starting from the leaves of 
the tree and going as far as the root, new secrets are 
established only in those nodes which lie within the 
framework of the tree structure on the path from the new 
leaf (A) to the tree root. 
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Abstract 



The process is to be such that, even after the group key 
has been established, subscribers can be removed from or 
added to the key directory without great effort. 

According to the present invention, each of the n 
subscribers (I) is assigned to one leaf of a 
binary- structured tree which has precisely n leaves and 
is of depth flogzn"]. For each subscriber (!) , a secret (i) 
is generated and is assigned to that leaf of the tree to 
which the respective subscriber (I) is also assigned. 
Secrets are established consecutively in the direction of 
the tree root for all nodes (K) of the tree, two already 
known secrets always being combined via the DH process to 
form a new common secret. The last node K„ contains the 
common key of all n subscribers. 

The process of the present invention can be 

advantageously used to generate a cryptographic key for a 
group of subscribers whose number is subject to change. 

Fig. 1 
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Fig. 5 
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DECLARATION AND POWER OF ATTORNEY 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to 

my name. 

I believe I am an original, first and sole inventor of the subject matter which is 
claimed and for which a patent is sought on the invention entitled PROCESS FOR 
ESTABLISHING A COMMON CRYPTOGRAPHIC KEY FOR N SUBSCRIBERS, the 
specification of which was filed as International Application No. PCT/EP99/07051 on 
September 22, 1999 and as U.S. Application Serial No. 09/807181 on April 9, 2001. 

I hereby state that I have reviewed and understand the contents of the 
above-identified specification, including the claims. 

I acknowledge the duty to disclose information which is material to the 
examination of this application in accordance with Title 37, Code of Federal Regulations, 
§ 1.56(a). 

I hereby claim foreign priority benefits under Title 35, United States Code, § 
119 of any foreign application(s) for patent or inventor's certificate listed below and have also 
identified below any foreign application(s) for patent or inventor's certificate having a filing 
date before that of the application on which priority is claimed: 

PRIOR FOREIGN APPLICATION(S^ 

Number Country Day/Montfa/Year Priority Claimed 

Filed Under35USC119 

198 47 941.7 Fed. Rep. of 09 October 1998 Yes 

Germany 
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And I hereby appoint Richard L. Mayer (Reg. No. 22,490), Gerard A. Messina 
(Reg. No. 35,952) and Linda M. Shudy (Reg. No. 47,084) my attorneys with foil power of 
substitution and revocation, to prosecute this application and to transact all business in the 
Patent and Trademark Office connected therewith. 

Please address all communications regarding this application to: 

KENYON & KENYON 
One Broadway 
New York JfewYoric^lOO^ 
rSjSTOMER NO. 26646 > 

, " — 

3 Please direct all telephone calls to Richard L. Mayer at (212) 425-7200. 

''^ I hereby declare that all statements made herein of my own knowledge are true 

IB and that all statements made on information and belief are believed to be true; and further that 

J, these statements were made with the knowledge that willful false statements and the like so 

Sri made are pimishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the 

N= United States Code and that such willfiil and false statements may jeopardize the validity of 

t:!l the application or any patent issued thereon. 
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Inventor: Joerg SCHWENK 



Inventor's Signature: _ 



Date: ^. ~{r^^_ '7^3^ 



Residence: Suedwestring 27 , ^ 

64807 Dieburg I>i^K 
Federal Republic of Germany 



Citizenship: German 



Post Office Address: Same as above. 
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